Have you used HardenedBSD ? Did you like it ?

gpw928

Well-Known Member

Reaction score: 150
Messages: 415

I am at the moment using 4G internet. I am stuck with ISPs router. In future I am going to use a fiber connection. If OPNsense is based on HardenedBSD I will definitely use OPNsense. My plan was to use PFsense but I guess OPNsense is more secure. Thanks for the info.
There is no reason to be "stuck" with your ISP's router. Both OPNsense and pfSense support 3G and 4G modems directly.

Going to fiber just means that you will need to interface to another sort of modem.

Sorting out how to separate the functions you generally get in the "integrated ISP box" (modem, router, firewall, WiFi transciever, Ethernet switch, Terminal Adapter, ...) is a small challenge.

OPNsense tracks FreeBSD fairly closely, but with some delay, as it must await the HardenedBSD porting effort. I'm looking forward for ARM support, but have been for quite some time!

pfSense seems to have a significantly greater level of community support active. It has a long history, and a large commercial base. Those characteristics make it a worthy firewall candidate.

Both offer sound security. Choosing OPNsense because it is slightly more secure against esoteric attacks might be poor risk analysis, especially if better support from the pfSense community means you are less likely to make mistakes that might allow your system to be penetrated in the first place.
 

gpw928

Well-Known Member

Reaction score: 150
Messages: 415

And while those security frameworks are nice and interesting and do make sense in some environments, just look around at some tutorials about RedHat/Centos: most of them suggest to turn off SELinux in the first paragraph, otherwise the stuff you are configuring won't work - so what's the use of a security framework if you have to turn it of for most of the software you are trying to run? Even if you choose to develop all those complex SELinux rulesets, it is a hell lot of work!
My experience with SELinux is that it's a "feature" that managers are told by higher (unquestionable) authorities that they must tick in order to comply with best practice -- and they won't meet their required outcomes unless they do it.

The practical outcome is that applications get their behaviour profiled at run time, and a ruleset created to describe "normal behaviour" in production.

Then, one day, something unusual happens, and the application traverses a normally unused code path leading to the execution of an unexpected system call.

Bang! Your production system just went down... Usually at the most inconvenient time.

My recommendation would always be to apply an appropriate risk analysis before deploying SELinux. If you are running a nuclear power plant, or a network of spies in a foreign country, by all means get the source code of your application and do the work to create a completely "correct" SELinux ruleset. Otherwise think through the risk analysis. As Bruce Schneier says, "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk".
 

chrcol

Well-Known Member

Reaction score: 50
Messages: 471

I have it running on two VM's one of which does run some services for my personal use.

I do feel at least some of these features are long overdue in FreeBSD but I also understand why there is hesitancy in adding them, the main barrier probably been performance, for all the mitigations using INVARIANT is required in the kernel, and on my two installations it is noticeable on performance.

Another issue I noticed is the binary OS updater is very lacking, usually I do src compile updates but I had let one of the machines go to out of date to the point the clang was too old to build a supported world, so had to use the binary updater, which had some issues, one of them been it doesnt do the stuff normally handled by mergemaster.

It has its own ports tree which requires manual maintenance as portsnap is not supported, but what is nice is that the ports tree does support PIE etc.

I found out recently that opnsense is reverting to stock FreeBSD as its base, so I am not sure now what the future is for hardenedbsd other than a proof of concept. But I will keep the two vm's on it, unlikely for any production servers though.
 

Trihexagonal

Daemon

Reaction score: 1,703
Messages: 2,277

I care a lot about security so I am curious.
We all care about security. What's going to make one OS any more secure than another for you is what I'm curious to know.

Yes, I am using GhostBSD purely as a desktop OS. Nothing is exposed to the web. I ran a nmap scan just to make sure that no ports are open.
I'm using FreeBSD purely as a desktop OS and connected to the Internet right now. I've had OpenBSD, OpenIndiana and Oracle Solaris desktops, have 9 laptops and 8 are running FreeBSD right now. One is waiting for me to get around to changing it over from Kali Linux.

To me, FreeBSD feels more polished as a desktop OS and have scads of screenshots going back years in that thread. Any vulnerabilities in the Base System addressed in a timely manner and easy to update as freebsd-update fetch and if there is one freebsd-update install.

Third party programs like Firefox are usually updated quickly. Your skill and ability to work out possible problems with ports or pkg something nobody has to start with and can only be learned from exerience

If you only have 1 computer on your LAN did you run the scan from that machine, another one on the Internet or a site that has online nmap scans? And if you scanned your own machine, from that machine, what nmap command did you use? It makes a difference.

That said, I have something just for you. Right here, right now:


You can use pkg and still follow the outline. That should get you to a Fluxbox desktop complete with System and Security settings to get you started including a pf firewall ruleset. And a ruleset if you use CUPS in the comments section, soon to appear on my newly updated site.
 

gpw928

Well-Known Member

Reaction score: 150
Messages: 415

I am not using a 3G or 4G modem. This is the router that my ISP has provided :

https://www.flipkart.com/jiofi-jmr-1140-data-card/p/itmf6mch497kmnpp
Indiamart says:
JioFi 4 JMR 1140 is a portable wireless router from Reliance Digital that allows multiple users to access the 4G internet and create a personal Wi-Fi hotspot.
So, it's got a 4G modem, router, firewall, and WiFi transceiver integrated into a single box.

It almost certainly doesn't make sense to change what you have until you have a good reason. Having said that, it's technically possible to acquire, as separate components:
  • a stand-alone USB 4G modem;
  • an OPNsense or pfSense firewall/router on a FreeBSD system; and
  • a WiFi transceiver for connection to the internal network.
Your ISP should to be consulted to see if they have any recommendations regarding the brand/model stand-alone 4G modem, and to determine the configuration settings required. Any good ISP will provide this (not all ISPs are good).

If you wish to use OPNsense or pfSense, you will have to move to this type of architecture (i.e. dump the all-in-one integrated box in favour of separate components). Then when get your your fiber connection, all you have to do is switch the modem. Where I live, fiber service modems are provided by the ISP, and present an Ethernet port for connection to the firewall. [They are the simplest Internet modem of all.]
 
OP
john_rambo

john_rambo

Member

Reaction score: 3
Messages: 97

Trihexagonal
Since you have provided that tutorial I have 2 questions.

1) I am using GhostBSD which as you know is a fork of FreeBSD tweaked to make it user friendly for average desktop users. Is there any disadvantages if I continue using GhostBSD Vs FreeBSD? To be honest despite the fact that I have used GhostBSD for like 15 days I really like the experience.

2) You mention PF. GhostBSD uses IPFW by default. Is PF superior in comparison to IPFW ?

Yes since I have only one PC I ran the nmap scan from the same machine. The local IP 192.168.225.21 is provided by my router using DHCP.

I used the following nmap command:

Code:
~> nmap 192.168.225.21
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-03 12:01 IST
Nmap scan report for homepc (192.168.225.21)
Host is up (0.000016s latency).
All 1000 scanned ports on homepc (192.168.225.21) are closed

Nmap done: 1 IP address (1 host up) scanned in 6.09 seconds

gpw928

This is just a temporary solution. We will move to a new house soon & once we move I will replace this 4G connection with fiber broadband & I will buy a low energy consuming motherbard/CPU combo for OPNsense or PFsense. I have some experience with PFsense. I used PFsense some years back when I was using cable broadband. Due to high ping & speed drops I got fed up with that ISP & purchased this 4G router. The hardware that I was using for PFsense is no longer in working condition.

If you are in my position which one will you choose ? PFsense or OPNsense ? There a reason for this question.

When I was using PFsense I registered at their forum but now I now I find that that particular forum has vanished from the WWW. Now when I search "pfsense forum" on Google I see this forum https://forum.netgate.com/

The forum that I participating in was not forum.netgate.com it was something else. Sorry I didn't copy the exact address in my KeePassXC database.
 

tingo

Daemon

Reaction score: 609
Messages: 2,494

There's a reason for that. I have only 1 desktop at home. So it was not possible for me to do the necessary research about the problem. Frankly I just panicked.
This is the one disadvantage of today's world: all the information you need is on the internet, so you need a working computer (or, if so inclined a phone or a tablet) in order to set up / fix things. If working on computers, you need at least one other than the one you are working on.
 

Trihexagonal

Daemon

Reaction score: 1,703
Messages: 2,277

Trihexagonal
Since you have provided that tutorial I have 2 questions.

1) I am using GhostBSD which as you know is a fork of FreeBSD tweaked to make it user friendly for average desktop users. Is there any disadvantages if I continue using GhostBSD Vs FreeBSD? To be honest despite the fact that I have used GhostBSD for like 15 days I really like the experience.
If you're enjoying your experience with GhostBSD then there is no reason you should change. It would only make things harder for you since that already comes with a desktop.

2) You mention PF. GhostBSD uses IPFW by default. Is PF superior in comparison to IPFW ?
Not in any area other than personal preference.

It's what I've been using for 16 years so that's what I know and like.
 

gpw928

Well-Known Member

Reaction score: 150
Messages: 415

If you are in my position which one will you choose ? PFsense or OPNsense ? There a reason for this question.

When I was using PFsense I registered at their forum but now I now I find that that particular forum has vanished from the WWW. Now when I search "pfsense forum" on Google I see this forum https://forum.netgate.com/

The forum that I participating in was not forum.netgate.com it was something else. Sorry I didn't copy the exact address in my KeePassXC database.
99.9% of the population use a WiFi router appliance with integrated firewall, pretty much exactly the same as what you are using now. The details may vary (e.g. type of modem, presence of Telephone Adapter for VoIP and hardware Ethernet switch, WiFi standards, hardware speeds), but they all do the same basic task.

Most people just take what their ISP offers, as it will usually be pre-configured, and well supported by the ISP.

When your Internet connection is by some type of cable (copper, coax, fiber), enthusiasts may look for something "better" and go for the BYO router option. There's heaps of choice. Just make sure its "WAN link" will work with your ISP's plug in the wall.

So the first question is why do you want a separate firewall?

There are plenty of good answers, including simple curiosity to learn, portability to a different ISP or Internet connection method, and enhanced control to support unusual things (e.g. VPN, DMZ Internet servers).

OPNsense and pfSense are derived from a common base. pfSense is commercial (but with a "free" version). OPNsense is free software.

OPNsense works traditionally on X86 hardware. I know that there's a lot of people interested in ARM, especially since it moved to a FreeBSD 12.1 base, but I can't discern any solid support for it yet.

Netgate is the corporation that sells pfSense based products (cloud, appliances, software). However you can download a "free" Community Edition. There's a very active forum (sponsored and moderated by Netgate).

pfSense runs on X86, but I think that there are now some ARM platforms sold by Netgate (but I gather it's not a realistic option to build your own from the Community Edition).

As I said above, choosing OPNsense because it is slightly more secure against esoteric attacks might be poor risk analysis, especially if better support from the pfSense community means you are less likely to make mistakes that might allow your system to be penetrated in the first place.

I'm patiently waiting for OPNsense to get ARM support for a Raspberry Pi (which has sufficient "grunt" for my modest needs). If I had to purchase new firewall hardware, I would seriously consider the Community Edition of pfSense. I have used both, and they are very similar.
 
  • Thanks
Reactions: mtu
OP
john_rambo

john_rambo

Member

Reaction score: 3
Messages: 97

So the first question is why do you want a separate firewall?

There are plenty of good answers, including simple curiosity to learn, portability to a different ISP or Internet connection method, and enhanced control to support unusual things (e.g. VPN, DMZ Internet servers).
There's also a very important reason why I or a any security conscious user want a separate firewall. No matter which brand of router you buy & no matter how expensive it is in my personal experience I have seen the all of them are simply pathetic when in comes to releasing firmware updates. Some brands do offer security updates but not more than 3-5 years. People who have technical knowledge deal with this situation by using open source firmware like DD-WRT.

When I was using PFsense I was updating it like 3-4 times a week.
 

gpw928

Well-Known Member

Reaction score: 150
Messages: 415

No matter which brand of router you buy & no matter how expensive it is in my personal experience I have seen the all of them are simply pathetic when in comes to releasing firmware updates.
...
When I was using PFsense I was updating it like 3-4 times a week.
There are a couple of additional issues that are relevant to the risk analysis.

The first is back doors on turnkey appliance firewalls. There have been so many of these found from multiple vendors that they alone justify extreme caution. It's the main reason I don't use a consumer appliance Internet firewall.

The second is attack surface. Your average consumer appliance firewall is closed to incoming connections. In that state, the attack surface is small, and the risk is small (modulo back doors).

It's only when you open up the firewall to facilitate Internet facing services (like running a web or mail server) that the attack surface opens up. And it opens up a lot. So much that I would always be inclined to relocate the risk to the cloud in some way (assuming I didn't have teams of experts in my own organisation).

The reason pfSense requires such regular patching relates to a whole ecosystem of operating system and application software that is under active development. Without an operating system and multiple applications and active development, there are fewer bugs to fix. I'm not saying that you are wrong about consumer appliances needing more patching. But, as a matter of degree, they need it much less than a full blown application firewall.
 

mark_j

Aspiring Daemon

Reaction score: 519
Messages: 965

https://hardenedbsd.org/content/about

I am using GhostBSD. I like it. Its quite user friendly. I searched about which is the most secure OS & found 2. The first one is OpenBSD & the second is HardenedBSD. I care a lot about security so I am curious.
Is HardenedBSD really more secure than GhostBSD/FreeBSD ?
Have you used HardenedBSD ? Did you like it ?
I wanted to try it a while back, but I couldn't get it to boot in VMWare. I might give it a try under virtualbox one day, though.

1) As to security: what does it matter when the major CPU providers have micro-op caches that can be read & manipulated?

2) It's all matters of degree. An OS can only do so much and provided it doesn't provide easy targets for stack smashing, buffer overflows etc, then it's done its job. The role of OpenBSD and to a lesser extent HardenedBSD are admirable, though, especially in appliances. See point 1.
 

Trihexagonal

Daemon

Reaction score: 1,703
Messages: 2,277

When I decided to learn about Internet Security I figured the best way to prevent being exploited was to know how exploits were carried out. And there had to be a hard way to do it...

That was back when I did everything the hard way, because I didn't know any better.

Now I do and try not to make things any harder than they already are.
 

tOsYZYny

Active Member

Reaction score: 7
Messages: 185

A firewall is just one layer of protection. It depends on what you're worried about.

Nowadays, DNS may be over HTTPs, so even if you were to block DNS requests to certain domains, that can be subverted.
Secondly, if you're not proxying your HTTP and HTTPs traffic and filtering out traffic, traffic can still go through unrestricted.
And, furthermore, if you are running a proxy and filtering HTTP and HTTPs, you'd need a good proxy to ensure you're not leaking private information. I suppose though, if you're leaking private information, then you must have already entered it into the browser. But I am really thinking about mobile and IoT. All of those apps we have installed pretty much do whatever they want. Some of them use their own DNS. Depending on the app, you have to let it record audio, camera, access to the network, your contacts, the list goes on and on.

What can an average consumer do at that point?

I have had suricata, snort, bro, elasticsearch, kibana, argus, and squid (with SSL bumping) installed in the past and as a "security enthusiast", it would be fun to see what I could find and potentially protect. However, merely installing it isn't enough, a little bit more know how is required and time in keeping those systems patched.

I run FreeBSD on my "router", I do filter some IP traffic, have time of day restrictions (via PF anchors), and block certain DNS traffic.
 
Top